Skip to Main Content

CS Prof Finds Internet Communications Flaw

Weakness Could Compromise Online Privacy and Security

Xinwen Fu

03/25/2009
By For more information, contact media@uml.edu or 978-934-3224

(3/25/09)

When you browse a website, share files or chat anonymously, you would think your computer’s firewall or anti-spyware program will keep your user identity private and secure. But research done by an international team of experts, led by Computer Science Asst. Prof. Xinwen Fu, has revealed a flaw in the Internet’s popular anonymous communications network called Tor. Unscrupulous individuals, agencies or organizations could exploit Tor’s weakness to covertly gather personal information from unsuspecting users.

“When you want to browse a website anonymously, you pick up a few Tor routers ߞ; computers installed with the Tor software and with appropriate configuration ߞ; from the Tor network, which consists of more than 1,000 such routers,” says Fu. “These routers will forward your browsing request to the web server. This scenario is the simplest use of Tor. It can be used for many other kinds of anonymous communication such as anonymous file sharing and anonymous chatting.”

Fu and his co-researchers from Southeast University, Cisco Systems, the University of Hong Kong and the University of Macau have found a simple, quick and effective way to “hack” into Tor’s protocol by simply “contributing” computers to the Tor network, modifying the Tor software and tracing those who use their computers.

“Let’s say Big Brother does not like anonymous communication and wants surveillance over Tor,” he says. “Since anybody can donate his or her computer to the Tor network and configure it as a Tor router, Big Brother can ‘donate’ its computers. If it donates, say, 100 computers, Tor cannot maintain anonymity for its users any longer. On average, each time a person uses Tor twice for anonymous communication, Big Brother can use our technique to recognize the communication relationship between the sender and receiver with 100 percent certainty, that is, find out which website the user browses and who the user communicates with. The attack only manipulates one single network packet to achieve this much damage.”

Fu presented the team’s findings at the recent Black Hat computer-security conference in Washington, D.C.
  
“Each year thousands of people, including federal agencies such as the CIA, FBI and Homeland Security, attend the two Black Hat conferences in the U.S. ߞ; in D.C. in February and Las Vegas in July,” he says. “They attract wide press coverage. This was a great chance to promote our research and the University to the world and attract possible sponsors for our work.”

The group’s findings showed the IT security community the challenge of safeguarding Internet privacy and security. “With just moderate resource, a malicious organization can place you under constant surveillance, though you may think you are fully protected,” says Fu.

“From our experience, Tor cannot be used for real anonymity. If the anonymity of an e-commerce transaction is extremely critical, you may have to resort to the traditional, old-fashioned way, which also has its own shortcomings. In summary, pure online privacy is tough to achieve, and much more research effort is needed to address the whole spectrum of issues involved.”

Fu’s Black Hat presentation was supported by the University’s Center for Network and Information Security, led by its director, Dr. Jie Wang.

- Edwin_Aguirre